This paper revisits a flaw in the Merkle tree construction underlying Bitcoin’s light client security model. Although Bitcoin was innovative in introducing Proof of Work and simple payment verification (SPV), a design shortcoming in its Merkle tree structure can be exploited to prove the inclusion of a malicious or nonexistent transaction in a block. We investigate how this fault remains not only theoretical but can compromise the security of real-world systems. In particular, we examine Core Chain (an EVM-compatible blockchain using delegated Proof of Work from Bitcoin miners), which relies on a Bitcoin light client for consensus. We show that an attacker can exploit the Merkle tree flaw to forge proofs of mining power delegation. By removing all mining power from legitimate validators, the entire consensus process can be disrupted. Furthermore, we outline potential mitigations and best practices for light-client developers, and emphasize why those do not suffice, and necessary changes within Bitcoin itself are required to eliminate this vulnerability.

错误:搜索内容不能为空,请输入英文关键词
错误:关键词超出字数限制,请精简
高级检索

Revisiting Bitcoin’s Merkle Tree Security: Practical Implications and an Attack on Core Chain

  • Yogev Bar-On

摘要

This paper revisits a flaw in the Merkle tree construction underlying Bitcoin’s light client security model. Although Bitcoin was innovative in introducing Proof of Work and simple payment verification (SPV), a design shortcoming in its Merkle tree structure can be exploited to prove the inclusion of a malicious or nonexistent transaction in a block. We investigate how this fault remains not only theoretical but can compromise the security of real-world systems. In particular, we examine Core Chain (an EVM-compatible blockchain using delegated Proof of Work from Bitcoin miners), which relies on a Bitcoin light client for consensus. We show that an attacker can exploit the Merkle tree flaw to forge proofs of mining power delegation. By removing all mining power from legitimate validators, the entire consensus process can be disrupted. Furthermore, we outline potential mitigations and best practices for light-client developers, and emphasize why those do not suffice, and necessary changes within Bitcoin itself are required to eliminate this vulnerability.